Skip to content

Revoke all from public on c functions #318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 2, 2025
Merged

Revoke all from public on c functions #318

merged 1 commit into from
Jun 2, 2025

Conversation

AndersAstrand
Copy link
Collaborator

@AndersAstrand AndersAstrand commented May 8, 2025
edited
Loading

It feels better to have a white list of publicly executable functions than a black list.

I wasn't sure where tests that asserts that CREATE EXTENSION does the right thing belongs, but it felt like basic usage to me so I put the assertion that this is done there.

We don't have any security definer functions, but if we did they would also need to be revoked from public by default.

@codecov-commenter
Copy link

codecov-commenter commented May 8, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.40%. Comparing base (84d1b56) to head (0f3ad27).

❌ Your project status has failed because the head coverage (85.40%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files 
@@                Coverage Diff                 @@
##           TDE_REL_17_STABLE     #318   +/-   ##
==================================================
  Coverage              85.39%   85.40%           
==================================================
  Files                     22       22           
  Lines                   2602     2603    +1     
  Branches                 393      394    +1     
==================================================
+ Hits                    2222     2223    +1     
  Misses                   304      304           
  Partials                  76       76
Components Coverage Δ
access 84.20% <ø> (ø)
catalog 88.20% <ø> (ø)
common 91.80% <ø> (ø)
encryption 73.45% <ø> (ø)
keyring 72.00% <ø> (ø)
src 91.40% <ø> (ø)
smgr 97.43% <ø> (+0.01%) ⬆️
transam ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@AndersAstrand AndersAstrand force-pushed the tde/revoke-from-public branch from fecffc9 to eaa8f25 Compare May 8, 2025 09:38
dutow
dutow reviewed May 23, 2025
View reviewed changes
contrib/pg_tde/t/001_basic.pl Outdated
LEFT JOIN LATERAL aclexplode(proacl) ON TRUE
WHERE
proname LIKE 'pg_tde%' AND
lanname = 'c' AND
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this test could skip this condition, and check all functions? We only allow a few functions by default, so the list would be short, and then it would also verify the sql language functions.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we want to check the sql language functions we should probably just do the ones that are SECURITY DEFINER, which currently is none. I did consider adding that, but as there are none it felt a bit weird 🙂

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added security definer functions for considerations if there ever are any :) .

@jeltz
Copy link
Collaborator

jeltz commented May 23, 2025

I support the general idea but I am pretty sure we have some functions which should be default be callable by anyone, e.g. pg_tde_is_encrypted().

@AndersAstrand AndersAstrand force-pushed the tde/revoke-from-public branch from eaa8f25 to 59e7777 Compare May 26, 2025 08:33
@AndersAstrand
Copy link
Collaborator Author

I support the general idea but I am pretty sure we have some functions which should be default be callable by anyone, e.g. pg_tde_is_encrypted().

Added pg_tde_is_encrypted() to whitelist.

@AndersAstrand AndersAstrand force-pushed the tde/revoke-from-public branch from 59e7777 to 8d1f004 Compare May 26, 2025 10:58
@AndersAstrand
Revoke all from public on c functions by default
0f3ad27 
Even though we do have some access control in most of our C functions,
it seems dangerous to not revoke them from public by default. A
whitelist of allowed functions seems safer than a black list. Also
include non-C functions which are security definer.
@AndersAstrand AndersAstrand force-pushed the tde/revoke-from-public branch from 8d1f004 to 0f3ad27 Compare June 2, 2025 18:47
@AndersAstrand
Copy link
Collaborator Author

Added pg_tde_version() to whitelist per request.

@AndersAstrand AndersAstrand merged commit 225a23c into percona:TDE_REL_17_STABLE Jun 2, 2025
16 checks passed
@AndersAstrand AndersAstrand deleted the tde/revoke-from-public branch June 2, 2025 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dutow dutow dutow left review comments

@dAdAbird dAdAbird dAdAbird approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@AndersAstrand @codecov-commenter @jeltz @dutow @dAdAbird